VLAN Access-List (VACL)

VLAN access-lists (VACL) are very useful if you want to filter traffic within the VLAN. Let me give you an example:

Let’s say I want to make sure that the two computers are unable to communicate with the server. You could use port-security to filter MAC addresses but this isn’t a very safe method.

I will show you how to configure a VACL so that the two computers won’t be able to reach the server. First we have to create an access-list:

SW1(config)#access-list 100 permit ip any host 192.168.1.100

First step is to create an extended access-list. Traffic from any source to destination IP address 192.168.1.100 should match my access-list. This might look confusing to you because your gut will tell you to use “deny” in this statement…don’t do it though, use the permit statement!

• Sequence number 10 will look for traffic that matches access-list 100. All traffic that is permitted in access-list 100 will match here. The action is to drop this traffic.
• Sequence number 20 doesn’t have a match statement so everything will match, the action is to forward traffic.

As a result all traffic from any host to destination IP address 192.168.1.100 will be dropped, everything else will be forwarded.

SW1(config)#vlan filter NOT-TO-SERVER vlan-list 10

Last step is to apply the VACL to the VLANs you want. I apply mine to VLAN 10. Let’s see if this works or not…

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.

Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!

Forum Replies

ACLs and Routes Maps are my biggest struggle in my network studies. I understand your first sentence about statement 10. Your second sentence about statement 20 is confusing.
“If you don’t add statement 20 then ALL traffic will be dropped. For example, when 192.168.1.1 tries to reach 192.168.1.2, it would be dropped. That’s why we added statement 20”
Why would that be the case? The Access-list and statement 10 are very specific in saying if any host tries to reach 192.168.1.100 (the server) – DROP IT. That being the case…. Why would 192.168.1.1 to be able t

This is because the default action is always to drop the traffic. Without that second statement, the default action will be drop. That’s why I added it. Without any access-list in statement 20, all remaining traffic is permitted.

The same thing applies to normal access-lists. Everything you don’t permit is denied by the invisible “deny any” at the bottom of the access-list.

It is true that both an access list as well as a VACL will use up more resources (CPU memory etc) of a device. And yes, this is why marking can be used instead of classification to avoid using ACLs in order to improve resource usage. However, this is an alternative for a very specific situation, specifically QoS. VACLs filter traffic within a VLAN, something that cannot be done in another way. However, keep in mind that you would require hundreds of VACLs and lots of traffic in order to reach the point of saturating the resources of a device.

New Lessons

Testimonials

Career Changing

No exaggeration to say I wouldn't be where I am without the help of Networklessons.com and Rene's guides. All these have allowed me to quickly understand concepts in the production environment and for studying towards exams also. Look forward to upcoming updates!

Rob CainNetwork EngineerJanuary 28, 2016

Great Stuff

Great stuff here at NetworkLessons.com! Rene's lessons are real world scenarios which allow us to grasp most of the networking concepts with ease and on a fast track. The discussion forums that follow each tutorial allow us to comprehend technical nitty gritty's in a clear and precise manner. I have learned most of the routing and switching concepts on a fast track here which is otherwise not possible via text book learning. I recommend NetworkLessons.com to all networking professionals.

Aravind ChinapagaSr. Associate Network EngineerAugust 25, 2016

Clarity, Pedagogy & Useful

I'm working to obtain the Cisco CCNP R&S certification and NetworkLessons.com makes me more understandable Cisco's technologies. Thanks a lot Renee for the quality of your lessons!

Cyril CamardNetwork EngineerOctober 8, 2015

I’m now CCIE!

NetworkLessons.com is amazing and so awesome! I've used Renee's Master CCNP series to get my CCNP, so I was familiar with his learning style. When I found out he had a e-learning site, I knew I had to check it out right away. 10 months later I'm proud to say I'm now CCIE #58226 R&S. Thank you!

Quentin McIntoshNetwork Engineer January 29, 2018

Perfect & Wonderful!

This website is very helpful in term of the beginner and advance lesson to get Cisco Certificates. Start the basic of each lesson then practices, Question and Answer are available online so that it's really helpful in case of any doubts, Many more, etc.

Makara NGYIT ManagerOctober 30, 2015

Amazing!

NetworkLessons.com has become an invaluable resource for me. Of course, the official Cisco press books are just fine and cover all the material in thorough detail. The difference though is that Rene emphasizes the important topics that you really need to know in a real production environment. He gives you the meat and potatoes and does so in a way that's very easy to understand. My favorite thing about NetworkLessons.com is that I can use it as a quick reference when I am troubleshooting on the job. This is much better than lugging around official Cisco press books and sifting through pages and pages to find something specific I'm looking for.

Leroy MerinoNetwork EngineerJune 26, 2017

Great Work!

It's like a spoon feeding type of tutorial. Thanks!

Don DrujaNetwork EngineerNovember 10, 2015

Clear Explanation

Networklessions.com is a good learning platform where various topics are explained very well. All the topics are explained with various configuration examples, which is very useful to understand the technologie. I've used Networklessions.com many times during my CCNP study. I recommend it to everyone!

Herman JansonNetwork EngineerOctober 14, 2015

Can’t Miss for a Day

NetworkLessons.com makes labs look easy and understandable. I seriously can't miss a single day without being a member of their website. NetworkLessons.com is a fantastic and very helpful e-learning site. They provide you the best and the most important knowledge that you need to get any networking job done. Thank you!

Jean CasimirSr Network EngineerAugust 14, 2017

Complete & Comprehensive

NetworkLessons.com has exactly what you need from beginner to advanced lessons. I was struggling with a BGP configuration and found exactly how to solve it in one of the BGP lessons they provide. They are very detailed and simple to follow. Let the experts here lead you down the right path and right way to learn. Don't depend on the many incorrect methods you may find elsewhere on the net.

Rod DavisonNetwork AdministratorJuly 24, 2016

Job Saver

The lessons are must-have for every network engineer as we all tend to forget concepts when we take a break on a specific protocol/technology. NetworkLessons.com helped me to excel in my networking skills and professional confidence in handling critical escalations, changes, and implementations. It's a job saver!

Sandeep PaulSenior Network EngineerJune 14, 2018

Answers Are Only a Search Away

The unique method of NetworkLessons.com explaining topics makes it easy to understand. It's really a joy to learn and tead. I like the teaching techniques, they are clear, concise and to the point. I have never subscribed to any training resource before, but the quality that NetworkLessons.com has to offer makes it worth it. Especially when having to troubleshoot more complex network issues we face in production environments, answers are just a search away.